Skip to main content

uutils coreutils CVE-2026-35374

| EUVDEUVD-2026-25024 MEDIUM
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
2026-04-22 canonical GHSA-4wrp-79m8-9m9p
6.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Apr 23, 2026 - 07:05 vuln.today
EUVD ID Assigned
Apr 22, 2026 - 16:31 euvd
EUVD-2026-25024
Analysis Generated
Apr 22, 2026 - 16:31 vuln.today
Patch released
Apr 22, 2026 - 16:31 nvd
Patch available
CVE Published
Apr 22, 2026 - 16:09 nvd
MEDIUM 6.3

DescriptionCVE.org

A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the split utility of uutils coreutils. The program attempts to prevent data loss by checking for identity between input and output files using their file paths before initiating the split operation. However, the utility subsequently opens the output file with truncation after this path-based validation is complete. A local attacker with write access to the directory can exploit this race window by manipulating mutable path components (e.g., swapping a path with a symbolic link). This can cause split to truncate and write to an unintended target file, potentially including the input file itself or other sensitive files accessible to the process, leading to permanent data loss.

AnalysisAI

The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local attackers with directory write access to manipulate symbolic links between the initial path validation and file truncation, causing data loss to unintended target files including the input file or other sensitive files. CVSS 6.3 (local, high complexity, low privilege required); SSVC assesses as non-exploitable in automated attacks but partial technical impact due to manual race window exploitation requirements.

Technical ContextAI

The vulnerability stems from CWE-367 (improper restriction of rendered UI layers or frames), manifesting as a TOCTOU race condition in file path validation. The split utility first validates that input and output file paths differ using string comparison, then later opens the output file with truncation flags. This two-step process creates a window where a local attacker with write permissions to the target directory can swap a non-symbolic-link path with a symbolic link pointing to a sensitive file (input file, system configuration, user data). The path-based check passes because the symbolic link itself differs from the input path, but the subsequent open() call with O_TRUNC follows the link and truncates the link target. CPE indicates all versions of uutils coreutils are affected.

RemediationAI

Vendor-released patch available via GitHub pull request https://github.com/uutils/coreutils/pull/11401. Update uutils coreutils to the patched version as soon as it is released. As immediate compensating control for multi-user systems where local attackers exist, disable split command execution for untrusted users via Unix access controls (chmod, sudo rules), or restrict write permissions to directories where split might be executed. This introduces usability trade-offs in shared systems. No functional workaround exists short of these access controls, as the root cause requires fixing the underlying TOCTOU logic to perform atomic validation-and-open operations or use file descriptor-based operations that prevent symbolic link traversal between checks.

CVE-2014-9471 HIGH POC
7.5 Jan 16

The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex

CVE-2026-35368 HIGH
7.8 Apr 22

Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access

CVE-2026-35338 HIGH POC
7.3 Apr 22

Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing l

CVE-2026-35341 HIGH POC
7.1 Apr 22

Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary f

CVE-2026-35352 HIGH
7.0 Apr 22

Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file pe

CVE-2026-35349 MEDIUM
6.7 Apr 22

Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root fi

CVE-2026-35365 MEDIUM
6.6 Apr 22

The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across file

CVE-2026-35350 MEDIUM
6.6 Apr 22

The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during fil

CVE-2026-35364 MEDIUM
6.3 Apr 22

A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move op

CVE-2026-35360 MEDIUM
6.3 Apr 22

The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows lo

CVE-2026-35356 MEDIUM
6.3 Apr 22

Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attacker

CVE-2026-35355 MEDIUM
6.3 Apr 22

Time-of-Check to Time-of-Use (TOCTOU) race condition in uutils coreutils install utility allows local authenticated atta

Share

CVE-2026-35374 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy